package com.dfy.config;

import com.dfy.filter.JwtAuthenticationFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public JwtAuthenticationFilter jwtAuthenticationFilter() {
        return new JwtAuthenticationFilter();
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .cors()
                .and()
            .csrf()
                .disable()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()
                // 公开接口 - 用户相关
                .antMatchers("/api/users/register", "/api/users/login").permitAll()
                
                // 公开接口 - 景点相关
                .antMatchers(
                    "/api/spots",              // 景点列表
                    "/api/spots/home",         // 首页
                    "/api/spots/search",       // 搜索
                    "/api/spots/*/reviews",    // 评论操作
                    "/api/spots/{id}",         // 景点详情
                    "/api/spots/categories/**", // 分类相关
                    "/api/spots/types/**",     // 类型相关
                    "/api/orders/trips"        // 行程查询 - 移到公开接口
                ).permitAll()
                
                // 需要认证的接口
                .antMatchers(
                    "/api/spots/{spotId}/favorite",     // 收藏操作
                    "/api/spots/{spotId}/unfavorite",   // 取消收藏
                    "/api/orders/**"                    // 其他订单相关操作
                ).authenticated()
                
                // 管理员接口
                .antMatchers(
                    "/api/spots/create",
                    "/api/spots/{id}/update",
                    "/api/spots/{id}/delete",
                    "/api/admin/**"
                ).hasRole("ADMIN")
                
                // 其他所有请求需要认证
                .anyRequest().authenticated()
                .and()
            .addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }
} 